Documentation + refactoring

Author: gherynos

.pre-commit-config.yaml

@@ -48,3 +48,4 @@ repos:
       - id: go-vet
       - id: go-cyclo
         args: [-over=15]
+      - id: go-lint

README.md

@@ -3,14 +3,15 @@
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 ![build](https://github.com/gherynos/vault-backend/workflows/build/badge.svg)
 ![release](https://github.com/gherynos/vault-backend/workflows/release/badge.svg)
+[![go-report-card](https://goreportcard.com/badge/github.com/gherynos/vault-backend)](https://goreportcard.com/report/github.com/gherynos/vault-backend)
 
 A Terraform [HTTP backend](https://www.terraform.io/docs/backends/types/http.html) that stores the state in a [Vault secret](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
 
 The server supports locking and leverages the versioning capabilities of Vault by creating a new secret version when creating/updating the state.
 
 ## Terraform config
 
-The server authenticates to Vault using [AppRole](https://www.vaultproject.io/docs/auth/approle), with `role_id` and `secret_id` passed respectively as the `username` and `password` in the configuration.
+The server authenticates to Vault using [AppRole](https://www.vaultproject.io/docs/auth/approle), with `role_id` and `secret_id` passed respectively as the `username` and `password` in the configuration:
 
 ```terraform
 terraform {
@@ -25,14 +26,29 @@ terraform {
 }
 ```
 
+or directly with a [token](https://www.vaultproject.io/docs/auth/token):
+
+```terraform
+terraform {
+  backend "http" {
+    address = "http://localhost:8080/state/<STATE_NAME>"
+    lock_address = "http://localhost:8080/state/<STATE_NAME>"
+    unlock_address = "http://localhost:8080/state/<STATE_NAME>"
+
+    username = "TOKEN"
+    password = "<TOKEN_VALUE>"
+  }
+}
+```
+
 where `<STATE_NAME>` is an arbitrary value used to distinguish the backends.
 
 With the above configuration, Terraform connects to a vault-backend server running locally on port 8080 when loading/storing/locking the state, and the server manages the following secrets in Vault:
 
 - `/secret/vbk/<STATE_NAME>`
 - `/secret/vbk/<STATE_NAME>-lock`
 
-The latter created when a lock is acquired and deleted when released.
+the latter gets created when a lock is acquired and deleted when released.
 
 ## Vault Backend config
 
@@ -73,4 +89,4 @@ path "secret/metadata/vbk/cloud-services-lock"
 
 ## License
 
-vault-backend is licensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0).
+Vault Backend is licensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0).

server/server.go

@@ -13,9 +13,10 @@ import (
 	"os"
 )
 
+// Version defines the version of the server
 const Version = "0.3.0"
 
-func checkLockId(store s.Store, state, id string) (proceed bool, data string, err error) {
+func checkLockID(store s.Store, state, id string) (proceed bool, data string, err error) {
 
 	var value []byte
 	if value, err = store.GetBin(fmt.Sprintf("%s-lock", state)); err != nil {
@@ -75,7 +76,7 @@ func stateHandlerPost(logger *log.Entry, store s.Store, state string, r *http.Re
 
 	logger.Debug("Store state")
 
-	if proceed, data, err := checkLockId(store, state, r.URL.Query().Get("ID")); err != nil {
+	if proceed, data, err := checkLockID(store, state, r.URL.Query().Get("ID")); err != nil {
 
 		switch err.(type) {
 
@@ -101,32 +102,32 @@ func stateHandlerPost(logger *log.Entry, store s.Store, state string, r *http.Re
 		return http.StatusLocked, data
 	}
 
-	if reqBody, err := ioutil.ReadAll(r.Body); err != nil {
+	var reqBody []byte
+	var err error
+	if reqBody, err = ioutil.ReadAll(r.Body); err != nil {
 
 		return http.StatusBadRequest, http.StatusText(http.StatusBadRequest)
+	}
 
-	} else {
-
-		if err := store.SetBin(state, reqBody); err != nil {
+	if err := store.SetBin(state, reqBody); err != nil {
 
-			switch err.(type) {
+		switch err.(type) {
 
-			case *api.ResponseError:
-				{
-					re := err.(*api.ResponseError)
-					return re.StatusCode, re.Error()
-				}
+		case *api.ResponseError:
+			{
+				re := err.(*api.ResponseError)
+				return re.StatusCode, re.Error()
+			}
 
-			default:
-				{
-					logger.WithError(err).Error("unable to store state")
-					return http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError)
-				}
+		default:
+			{
+				logger.WithError(err).Error("unable to store state")
+				return http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError)
 			}
 		}
-
-		return 200, ""
 	}
+
+	return 200, ""
 }
 
 func stateHandlerLock(logger *log.Entry, store s.Store, state string, r *http.Request, w http.ResponseWriter) (int, string) {
@@ -141,18 +142,17 @@ func stateHandlerLock(logger *log.Entry, store s.Store, state string, r *http.Re
 
 		case *s.ItemNotFoundError:
 			{
-
-				if reqBody, err := ioutil.ReadAll(r.Body); err != nil {
+				var reqBody []byte
+				var err error
+				if reqBody, err = ioutil.ReadAll(r.Body); err != nil {
 
 					return http.StatusBadRequest, http.StatusText(http.StatusBadRequest)
+				}
 
-				} else {
-
-					if err := store.SetBin(name, reqBody); err != nil {
+				if err := store.SetBin(name, reqBody); err != nil {
 
-						logger.WithError(err).Error("unable to store lock")
-						return http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError)
-					}
+					logger.WithError(err).Error("unable to store lock")
+					return http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError)
 				}
 
 				return 200, ""
@@ -180,66 +180,66 @@ func stateHandlerUnlock(logger *log.Entry, store s.Store, state string, pool s.P
 
 	logger.Debug("Unlock state")
 
-	if reqBody, err := ioutil.ReadAll(r.Body); err != nil {
+	var reqBody []byte
+	var err error
+	if reqBody, err = ioutil.ReadAll(r.Body); err != nil {
 
 		return http.StatusBadRequest, http.StatusText(http.StatusBadRequest)
+	}
 
-	} else {
-
-		var body map[string]interface{}
-		if err := json.Unmarshal(reqBody, &body); err != nil {
+	var body map[string]interface{}
+	if err := json.Unmarshal(reqBody, &body); err != nil {
 
-			return http.StatusBadRequest, http.StatusText(http.StatusBadRequest)
-		}
+		return http.StatusBadRequest, http.StatusText(http.StatusBadRequest)
+	}
 
-		if proceed, data, err := checkLockId(store, state, body["ID"].(string)); err != nil {
+	if proceed, data, err := checkLockID(store, state, body["ID"].(string)); err != nil {
 
-			switch err.(type) {
+		switch err.(type) {
 
-			case *s.ItemNotFoundError:
-				return http.StatusUnprocessableEntity, http.StatusText(http.StatusUnprocessableEntity)
+		case *s.ItemNotFoundError:
+			return http.StatusUnprocessableEntity, http.StatusText(http.StatusUnprocessableEntity)
 
-			case *api.ResponseError:
-				{
-					re := err.(*api.ResponseError)
-					return re.StatusCode, re.Error()
-				}
+		case *api.ResponseError:
+			{
+				re := err.(*api.ResponseError)
+				return re.StatusCode, re.Error()
+			}
 
-			default:
-				{
-					logger.WithError(err).Error("unable to check lock")
-					return http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError)
-				}
+		default:
+			{
+				logger.WithError(err).Error("unable to check lock")
+				return http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError)
 			}
+		}
 
-		} else if !proceed {
+	} else if !proceed {
 
-			w.Header().Set("Content-Type", "application/json")
-			return http.StatusConflict, data
-		}
+		w.Header().Set("Content-Type", "application/json")
+		return http.StatusConflict, data
+	}
 
-		if err := store.Delete(fmt.Sprintf("%s-lock", state)); err != nil {
+	if err := store.Delete(fmt.Sprintf("%s-lock", state)); err != nil {
 
-			switch err.(type) {
+		switch err.(type) {
 
-			case *api.ResponseError:
-				{
-					re := err.(*api.ResponseError)
-					return re.StatusCode, re.Error()
-				}
+		case *api.ResponseError:
+			{
+				re := err.(*api.ResponseError)
+				return re.StatusCode, re.Error()
+			}
 
-			default:
-				{
-					logger.WithError(err).Error("unable to remove lock")
-					return http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError)
-				}
+		default:
+			{
+				logger.WithError(err).Error("unable to remove lock")
+				return http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError)
 			}
 		}
+	}
 
-		pool.Delete(userPassEnc)
+	pool.Delete(userPassEnc)
 
-		return 200, ""
-	}
+	return 200, ""
 }
 
 func stateHandler(pool s.Pool, w http.ResponseWriter, r *http.Request) (int, string) {
@@ -330,6 +330,7 @@ func getEnv(key, fallback string) string {
 	return fallback
 }
 
+// RunServer starts the Vault Backend TCP server
 func RunServer() {
 
 	if _, debug := os.LookupEnv("DEBUG"); debug {

server/server_test.go

@@ -277,13 +277,11 @@ func (p *MockPool) Get(identifier string) (val s.Store, err error) {
 	if val, ok = p.stores[identifier]; ok {
 
 		return
-
-	} else {
-
-		val = NewMockStore()
-		p.stores[identifier] = val
-		return
 	}
+
+	val = NewMockStore()
+	p.stores[identifier] = val
+	return
 }
 
 func (p *MockPool) Delete(identifier string) {

server/vault_pool.go

@@ -9,13 +9,17 @@ import (
 	"sync"
 )
 
+// VaultPool is an implementation of Pool that manages Vault stores.
 type VaultPool struct {
 	vaultURL, prefix string
 
 	stores map[string]*vault.Vault
 	mutex  sync.Mutex
 }
 
+// NewVaultPool creates a new pool of Vault stores.
+// VaultURL is the URL of the Vault server to connect to.
+// prefix is the string prefix used when storing the secrets in Vault.
 func NewVaultPool(vaultURL, prefix string) s.Pool {
 
 	vp := &VaultPool{vaultURL: vaultURL, prefix: prefix}
@@ -24,6 +28,7 @@ func NewVaultPool(vaultURL, prefix string) s.Pool {
 	return vp
 }
 
+// Get creates or retrieves a Vault store given an identifier.
 func (vp *VaultPool) Get(identifier string) (val s.Store, err error) {
 
 	vp.mutex.Lock()
@@ -33,38 +38,38 @@ func (vp *VaultPool) Get(identifier string) (val s.Store, err error) {
 	if val, ok = vp.stores[identifier]; ok {
 
 		return
+	}
 
-	} else {
-
-		log.Debug("Creating a new Vault client...")
-
-		var dec []byte
-		if dec, err = base64.StdEncoding.DecodeString(identifier); err != nil {
+	log.Debug("Creating a new Vault client...")
 
-			return
-		}
+	var dec []byte
+	if dec, err = base64.StdEncoding.DecodeString(identifier); err != nil {
 
-		userPass := strings.Split(string(dec), ":")
-		var vt *vault.Vault
-		if userPass[0] == "TOKEN" {
+		return
+	}
 
-			vt, err = vault.NewWithToken(vp.vaultURL, userPass[1], vp.prefix)
+	userPass := strings.Split(string(dec), ":")
+	var vt *vault.Vault
+	if userPass[0] == "TOKEN" {
 
-		} else {
+		vt, err = vault.NewWithToken(vp.vaultURL, userPass[1], vp.prefix)
 
-			vt, err = vault.NewWithAppRole(vp.vaultURL, userPass[0], userPass[1], vp.prefix)
-		}
-		if err != nil {
+	} else {
 
-			return
-		}
+		vt, err = vault.NewWithAppRole(vp.vaultURL, userPass[0], userPass[1], vp.prefix)
+	}
+	if err != nil {
 
-		val = vt
-		vp.stores[identifier] = vt
 		return
 	}
+
+	val = vt
+	vp.stores[identifier] = vt
+	return
 }
 
+// Delete removes the Vault store associated with the identifier.
+// Invoking delete using a non-existing identifier has no effect.
 func (vp *VaultPool) Delete(identifier string) {
 
 	vp.mutex.Lock()

store/item_not_found.go

@@ -1,5 +1,6 @@
 package store
 
+// ItemNotFoundError is an error returned when a requested item is not present in a Store.
 type ItemNotFoundError struct{}
 
 func (e *ItemNotFoundError) Error() string {

store/pool.go

@@ -1,5 +1,8 @@
 package store
 
+// Pool is a collection of Stores.
+// The Get method creates a new Store for the given identifier if not already present.
+// Trying to delete a Store via an unknown identifier has no effect.
 type Pool interface {
 	Get(identifier string) (Store, error)
 

store/store.go

@@ -1,5 +1,7 @@
 package store
 
+// Store is a collection of byte arrays.
+// The byte arrays can be stored, retrieved and deleted by name.
 type Store interface {
 	SetBin(name string, data []byte) error